Export limit exceeded: 11910 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11910 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-7689 | 2 Themefic, Wordpress | 2 Hydra Booking, Wordpress | 2026-04-15 | 8.8 High |
| The Hydra Booking plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the tfhb_reset_password_callback() function in versions 1.1.0 to 1.1.18. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the password of an Administrator user, achieving full privilege escalation. | ||||
| CVE-2024-31264 | 2 Dfactory, Wordpress | 2 Post Views Counter, Wordpress | 2026-04-15 | 4.3 Medium |
| Unauthenticated Cross Site Request Forgery (CSRF) in Post Views Counter <= 1.4.4 versions. | ||||
| CVE-2025-7956 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The Ajax Search Lite plugin for WordPress is vulnerable to Basic Information Exposure due to missing authorization in its AJAX search handler in all versions up to, and including, 4.13.1. This makes it possible for unauthenticated attackers to issue repeated AJAX requests to leak the content of any protected post in rolling 100‑character windows. | ||||
| CVE-2025-12154 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The Auto Thumbnailer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadThumb() function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-12156 | 2 Aitool, Wordpress | 2 Ai Auto Tool Content Writing Assistant, Wordpress | 2026-04-15 | 4.3 Medium |
| The Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_post_data() function in versions 2.0.7 to 2.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create and publish arbitrary posts. | ||||
| CVE-2025-13438 | 2 Dienodigital, Wordpress | 2 Page Title, Description & Open Graph Updater, Wordpress | 2026-04-15 | 4.3 Medium |
| The Page Title, Description & Open Graph Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.02. This is due to missing nonce validation on multiple AJAX actions including dieno_update_page_title. This makes it possible for unauthenticated attackers to update page titles and metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-51633 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in ivycat Simple Page Specific Sidebars page-specific-sidebars allows Stored XSS.This issue affects Simple Page Specific Sidebars: from n/a through <= 2.14.1. | ||||
| CVE-2025-12157 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The Simple User Capabilities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_reset_capability' AJAX endpoint in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to reset any user's capabilities. | ||||
| CVE-2024-51639 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in Hints Naver Blog naver-blog-api allows Stored XSS.This issue affects Naver Blog: from n/a through <= 1.0. | ||||
| CVE-2024-51640 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in Matt Rude MDR Webmaster Tools mdr-webmaster-tools allows Stored XSS.This issue affects MDR Webmaster Tools: from n/a through <= 1.1. | ||||
| CVE-2024-31375 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in Saleswonder Team: Tobias WP2LEADS wp2leads.This issue affects WP2LEADS: from n/a through <= 3.2.7. | ||||
| CVE-2024-31376 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in Andrew Dashboard To-Do List dashboard-to-do-list.This issue affects Dashboard To-Do List: from n/a through <= 1.3.1. | ||||
| CVE-2024-51644 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in samwilson Addressbook addressbook allows Stored XSS.This issue affects Addressbook: from n/a through <= 1.1.3. | ||||
| CVE-2024-51645 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in themefusecom ThemeFuse Maintenance Mode themefuse-maintenance-mode allows Stored XSS.This issue affects ThemeFuse Maintenance Mode: from n/a through <= 1.1.3. | ||||
| CVE-2024-51647 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Chaser324 Featured Posts Scroll allows Stored XSS.This issue affects Featured Posts Scroll: from n/a through 1.25. | ||||
| CVE-2024-31390 | 2 Soflyy, Wordpress | 2 Breakdance, Wordpress | 2026-04-15 | 9.9 Critical |
| : Improper Control of Generation of Code ('Code Injection') vulnerability in Soflyy Breakdance allows : Code Injection.This issue affects Breakdance: from n/a through 1.7.2. | ||||
| CVE-2024-51656 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in litefeel Flash Show And Hide Box flash-show-and-hide-box allows Stored XSS.This issue affects Flash Show And Hide Box: from n/a through <= 1.6. | ||||
| CVE-2024-51690 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in neelam.samariya Wp Slide Categorywise wp-slide-categorywise allows Reflected XSS.This issue affects Wp Slide Categorywise: from n/a through <= 1.1. | ||||
| CVE-2025-12163 | 2 Omnipressteam, Wordpress | 2 Omnipress, Wordpress | 2026-04-15 | 6.4 Medium |
| The Omnipress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2024-51698 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Luis Rock Master Bar master-bar allows Reflected XSS.This issue affects Master Bar: from n/a through <= 1.0. | ||||